|
Hi Chetan,
You do not need to have a DNAT rule for the packets to reach the host in
Network A. SNAT & DNAT are 2 different NATing policies used for different
purposes and at different chains.
Let's see if I can explain what is happening:
- An ICMP packet from host A destined to host B reaches the Linux box.
Linux box does the SNATing (that is, the source IP is changed to that of
the Linux box's outgoing interface IP) and an entry is made of the same in the
ip_conntrack file.
NOTE: When the first packet in a new connection matches a NAT rule, the
entire stream is automatically NATted henceforth. That is, every packet
belonging to this connection does not need to go through the same rule but the
action will be taken on all. Check this out -
- The ICMP packet reaches the host b which in turn replies back to the
Linux box.
- Using connection tracking & NATing, the Linux box then changes the
destination IP to that of host A and sends out the ICMP reply to host A.
I do not understand why you would just want to ping the hosts in network B
and not get the replies back to the host in network A. Nevertheless, you can add
a rule in your MANGLE POSTROUTING chain to drop the icmp packets from reaching
network A.
I hope this helps.
Best Regards,
Deepak
|
